Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.

Dependencies

You will need to have the Samba package installed as this script is basically just a wrapper around rpcclient, net, nmblookup and smbclient.

Usage

$ enum4linux.pl -h
enum4linux v0.8.2 (https://labs.portcullis.co.uk/application/enum4linux/)
Copyright (C) 2006 Mark Lowe (mrl@portcullis-security.com)
Simple wrapper around the tools in the samba package to provide similar functionality
to enum (http://www.bindview.com/Services/RAZOR/Utilities/Windows/enum_readme.cfm).
Some additional features such as RID cycling have also been added for convenience.
This is an ALPHA release only. Some of the options supported by the original "enum"
aren't implemented in this release.
Usage: /usr/local/bin/enum4linux.pl [options] ip
Options are (like "enum"):
-U get userlist
-M get machine list*
-N get namelist dump (different from -U|-M)*
-S get sharelist
-P get password policy information*
-G get group and member list
-L get LSA policy information*
-D dictionary crack, needs -u and -f*
-d be detailed, applies to -U and -S
-u username specify username to use (default "")
-p password specify password to use (default "")
-f filename specify dictfile to use (wants -D)*
* = Not implemented in this release.
Additional options:
-a Do all simple enumeration (-U -S -G -r -o -n)
-h Display this help message and exit
-r enumerate users via RID cycling
-R range RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
-s filename brute force guessing for share names
-k username User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
Used to get sid with "lookupsid known_username"
Use commas to try several users: "-k admin,user1,user2"
-o Get OS information
-i Get printer information
-w workgroup Specify workgroup manually (usually found automatically)
-n Do an nmblookup (similar to nbtstat)
-v Verbose. Shows full commands being run (net, rpcclient, etc.)
RID cycling should extract a list of users from Windows (or Samba) hosts which have
RestrictAnonymous set to 1 (Windows NT and 2000), or "Network access: Allow
anonymous SID/Name translation" enabled (XP, 2003).
If no usernames are known, good names to try against Windows systems are:
- administrator
- guest
- none
- helpassistant
- aspnet
The following might work against samba systems:
- root
- nobody
- sys
NB: Samba servers often seem to have RIDs in the range 3000-3050.

Examples

Below are examples which demonstrate most of the features of enum4linux. Output has been edited for brevity in most cases.

Verbose modeBefore we delve into the features of enum4linux, it’s worth pointing out that verbose mode shows you the underlying commands being run by enum4linux (rpcclient, smblient, etc.). This is useful if you want to use the underlying commands manually, but can’t figure out the syntax to use. Note the lines beginning with [V] in the output below:

The “Do Everything” optionAs you read through the following section you’ll probably think that there are a lot of options you need to remember. If you just want enum4linux to try to enumerate all the information it can from a remote host, just use the -a option:

$ enum4linux.pl -a 192.168.2.55

NB: This won’t do dictionary-based share name guessing, but does pretty much everything else.

Obtain list of usernames (RestrictAnonymous = 0)This feature is similar to enum.exe -U IP. It returns a complete list of usernames if the server allows it. On Windows 2000 the RestrictAnonymous registry setting must be set to 0 for this feature to work. The user list is show twice in two different formats because type different underlying commands are used to retrieve the data.

Obtain a list of usernames (using authentication)If you’ve managed to obtain a username and password for the host, you can use it to retrieve a complete list of users regardless of RestrictAnonymous settings. In the example below we use the administrator account, but any account will do:

Before RID cycling can start, enum4linux needs to get the SID from the remote host. It does this by requesting the SID of a known username / group (pretty much the same thing every other RID-cycling tool does). You can see in the above output a list of known usernames. These are tried in turn, until enum4linux finds the SID of the remote host.If you’ve very unlucky, this list won’t be good enough and you won’t be able to get the SID. In this case, use the -k option to specify a different known username:

$ enum4linux.pl -k anotheruser -R 500-520 192.168.2.55

You can specify a list using commas:

$ enum4linux.pl -k user1,user2,user3 -R 500-520 192.168.2.55

Group membershipIf the remote host allow it, you can get a list of groups and their members using the -G option (like in enum.exe):

As with the -U option for user enumeration, you can also specify -u user -p pass to provide login credentials if required. Any user account will do, you don’t have to be an admin.

Check if host is part of a domain or workgroupEnum4linux uses rpcclient’s lsaquery command to ask for a host’s Domain SID. If we get a proper SID we can infer that it is part of a domain. If we get the answer S-0-0 we can infer the host is part of a workgroup. This is done by default, so no command line options are required:

Listing Windows sharesIf the server allows it, you can obtain a complete list of shares with the -S option. This uses smbclient under the bonnet which also seems to grab the browse list.Enum4linux will also attempt to connect to each share with the supplied credentials (null session usually, but you could use -u user -p pass to use something else). It will report whether it could connect to the share and whether it was possible to get a directory listing.

Disclaimer

Any actions and or activities related to the material contained within this Website is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors and www.hack4.net will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.